# REPRO-2026-00193: ProFTPD ACL bypass via /proc/self/root path prefix in RNFR ## Summary Status: published Severity: high Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00193 CVE: CVE-2026-35025 ## Package Name: proftpd/proftpd Ecosystem: github Affected: ProFTPD through 1.3.9b and through 1.3.10rc2 Fixed: Unknown ## Root Cause CVE-2026-35025 ## Reproduction Details Reproduced: 2026-07-01T20:43:45.790Z Duration: 5298 seconds Tool calls: 258 Turns: Unknown Handoffs: 3 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00193 pruva-verify CVE-2026-35025 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00193&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00193/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35025 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 13194 bytes) - bundle/repro/rca_report.md (analysis, 7913 bytes) - bundle/vuln_variant/reproduction_steps.sh (reproduction_script, 9679 bytes) - bundle/vuln_variant/rca_report.md (analysis, 8306 bytes) - bundle/coding/proposed_fix.diff (patch, 759 bytes) - bundle/repro/ftp-root/public/leaked.txt (other, 73 bytes) - bundle/repro/proftpd.group (other, 26 bytes) - bundle/repro/artifacts/ftp_exploit_output.txt (other, 4790 bytes) - bundle/repro/proftpd.conf (other, 1055 bytes) - bundle/repro/runtime_manifest.json (other, 754 bytes) - bundle/repro/ftp_exploit.py (script, 3836 bytes) - bundle/repro/proftpd.passwd (other, 222 bytes) - bundle/repro/validation_verdict.json (other, 731 bytes) - bundle/ticket.json (other, 1777 bytes) - bundle/ticket.md (ticket, 883 bytes) - bundle/logs/proftpd.log (log, 3686 bytes) - bundle/logs/reproduction_steps.log (log, 545714 bytes) - bundle/vuln_variant/variant_manifest.json (other, 2755 bytes) - bundle/vuln_variant/test_dele_variant.sh (other, 4573 bytes) - bundle/vuln_variant/runtime_manifest.json (other, 954 bytes) - bundle/vuln_variant/test_dele_patched.sh (other, 5234 bytes) - bundle/vuln_variant/root_cause_equivalence.json (other, 1631 bytes) - bundle/vuln_variant/source_identity.json (other, 1064 bytes) - bundle/vuln_variant/patch_analysis.md (documentation, 6071 bytes) - bundle/vuln_variant/validation_verdict.json (other, 1023 bytes) - bundle/logs/dele_variant_patched_test.log (log, 561 bytes) - bundle/logs/proftpd_patched_variant.log (log, 3792 bytes) - bundle/logs/proftpd_dele_patched.log (log, 3807 bytes) - bundle/logs/proftpd_dele.log (log, 3735 bytes) - bundle/logs/proftpd_patched_configure.log (log, 21538 bytes) - bundle/logs/proftpd_vuln_variant.log (log, 3765 bytes) - bundle/logs/proftpd_patched_build.log (log, 26577 bytes) - bundle/logs/variant_reproduction_steps.log (log, 1956 bytes) - bundle/logs/dele_variant_test.log (log, 3666 bytes) - bundle/coding/verify_env/ftp-root/public/file_renamed.txt (other, 15 bytes) - bundle/coding/verify_env/ftp-root/protected/secret.txt (other, 17 bytes) - bundle/coding/verify_env/ftp-root/protected/secret2.txt (other, 18 bytes) - bundle/coding/verify_env/proftpd.group (other, 26 bytes) - bundle/coding/verify_env/proftpd.conf (other, 1084 bytes) - bundle/coding/verify_env/proftpd.passwd (other, 234 bytes) - bundle/coding/logs/proftpd_verify.log (log, 3790 bytes) - bundle/coding/logs/proftpd_build.log (log, 4639 bytes) - bundle/coding/summary_report.md (documentation, 4812 bytes) - bundle/coding/verify_fix.sh (other, 6815 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00193 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00193/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00193 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev